FQDN in Packet Filter
 

I want to restrict access to specific public domain names form my machine.

For achieving this, I am providing fully qualified domain names in packet filter rule.

for example

pass out on <interface> inet from <myip> to example.com
pass in on <interface> inet from example.com to <myip>

What I understood from the OpenBSD's user guide is "A fully qualified domain name that will be resolved via DNS when the ruleset is loaded. All resulting IP addresses will be substituted into the rule"

I have few queries from this,

1. IPs are substituting into rule while loading ruleset, what if there is a change in IP of the domain name after loading ?

2. Is this FQDN option in pf rule only for static IPs?

3. Does it considering IP dynamicity of domain name?

For PF, domain resolution occurs at rule loading time ONLY. And if the rules are being loaded during boot by rc(8), a domain name server may not yet be available to the OS. In that case, resolution must come from a hosts(5) file rather than a server. For HTTP/HTTPS traffic, the better solution is relayd(8). There's an example of blocking a social media website in the relayd.conf(5) man page.There will be no change to the rule(s) created at load time.Yes.No.

Two additional points on domain resolution.

1. If during resolution there are both IPv4 and IPv6 addresses resolved -- both A and AAAA records returned by DNS or both IPv4 and IPv6 addresses in hosts(5) -- there will be two rules created internally for PF: one each for IPv4 and for IPv6.
2. If the domain resolves to multiple addresses, then a temporary table is loaded with the addresses for each rule.

As an example, a rule written aswill produce two internal rules with two temporary tables, as shown in the output from `# pfctl -sr`, since yahoo.com resolves to a pool of IPv4 addresses and a pool of IPv6 addresses: